Some Network Attacks and Lessons Learned

1
Some Network Attacksand Lessons Learned

• Notes for CSCI 4220 and CSCI 5220

2
Lesson Objectives

• Learn about network protocol attacks
• Not concerned with application-level attacks
• Learn how to avoid these attacks
• Explore lessons learned things to avoid when
  designing new protocols

3
Background IP Packets
0 7 8 15 16 31 16 31
Vers 4 IHL ToS Total Length Total Length
ID (for fragmentation) ID (for fragmentation) ID (for fragmentation) Flags Fragment Offset
TTL TTL Protocol Header Checksum Header Checksum
IP Source Address IP Source Address IP Source Address IP Source Address IP Source Address
IP Destination Address IP Destination Address IP Destination Address IP Destination Address IP Destination Address
Options (usually empty) Options (usually empty) Options (usually empty) Options (usually empty) Options (usually empty)
Data Data Data Data Data

• Everything is just bits being transmitted
• Can all be tampered with!
• Header checksum is not cryptographic for
  detecting transmission errors, not tampering

4
Field Tampering

• Attack type 1 Put invalid data in fields
• Example 1 Ping of Death
• Too large ping packet crashes machine
• Example 2 LAND Attack
• Specially crafted packet with both source and
  destination set to victim address, with fields
  that make machine lock up

5
IP Spoofing

• Smurf Attack (Simplified)

Intermediary 123.45.67.89
Attacker 24.3.29.123
Victim 209.12.17.35
6
IP Spoofing

• Smurf Attack (DoS amplification)

Intermediaries 123.45.67.1 123.45.67.2 123.45.67.3

Attacker 24.3.29.123
Victim 209.12.17.35
Works particularly well when Attacker-Intermediari
es connection is lower bandwidth than
Intermediaries-Victim
7
IP Spoofing Countermeasures

• Filter out broadcast messages at gateway
• Doesnt work if intermediary inside border!
• In general Filter out LAN-only messages across
  border
• Egress filtering
• Only let out packets with appropriate source
  addrs
• Doesnt stop you from being an intermediary or a
  victim think of it as being a good netizen

8
TCP Packets
TCP adds sessions or connections to the bare
IP protocol
0 15 15 16 31
Source Port Source Port Source Port Destination Port Destination Port
Sequence Number Sequence Number Sequence Number Sequence Number Sequence Number
Acknowledgment Number Acknowledgment Number Acknowledgment Number Acknowledgment Number Acknowledgment Number
Data Offset Data Offset Flags Window Window
Checksum Checksum Checksum Urgent Pointer Urgent Pointer
Options Options Options Options Options
Data Data Data Data Data
Flags
URG Urgent ptr valid RST Reset flag
ACK ACK valid SYN Synchronize seq s
PSH Push function FIN Finish of connection
9
The 3-way handshake
Labels below give (Flags, Seq, Ack)
Server
Client

• To establish connection, client must prove that
  it received the SYNACK packet!
• SYNACK packet routed to system with source
  address from first SYN packet
• Since based on routing, only secure back to the
  subnet of the source

10
SYN Issues Predictability

• Sequence numbers should be unpredictable
• Most systems today select random values that meet
  some necessary conditions
• Otherwise

Client
Server
Data pretending to come from fake Src
Particularly dangerous when fake Src is a
trusted IP address
11
SYN Issues SYN Flooding
Server Data Structures
Client
Server

• DoS isnt due to traffic volume but to resource
  exhaustion (memory) in the server O.S.
• Early network stacks had a severely limited
  number of half-open structures available
• Can spoof SRC address with non-existent host

12
SYN Flooding Solutions

• SYN cookies
• Basic idea Use cryptography to avoid saving
  state
• Specifically Store info in Seq to verify upon
  ACK
• Time Increments every 64 seconds
• MSS Maximum Segment Size (must be remembered!)
• Cryptograph hash w/secret gives unpredictability
• Only the server and the receiver of the seq can
  reproduce seq
• Not perfect Limited MSS options, 24-bits can be
  brute-forced,
• Router solutions (protect hosts without modifying
  hosts)
• Rate limiting/shaping, Cisco router TCP
  Intercept feature,

Time t MSS Hash(secret, srcIP, destIP, sPort, dPort, t)
5 bits
3 bits
24 bits
13
Combining TechniquesThe Mitnick Attack
SYN Flood to disable network
Trusted Admin server
Attacker
Target

• Lessons learned
• In network stack Seqs must be unpredictable!
• In network setup Should filter out local srcIPs
  coming from outside
• In application IP-based trust is a very bad
  idea!

14
Message Interception

• Original Ethernet
• All systems on a LAN see all traffic
• Usually ignore all but to them (based on MAC
  addr)
• However Interfaces can be put into promiscuous
  mode
• Ethernet evolution 1 Hubs
• Star topology, but all traffic still to all hosts
• Ethernet evolution 2 Switches
• Switch remembers which MAC addresses are
  connected to which ports, and sends traffic only
  to addressed host

Shared medium
15
ARP Finding the right host

• Problem
• Ethernet works on MAC addresses (doesnt
  understand IP)
• IP works on IP addresses (doesnt understand
  Ethernet)
• How do we get a packet to the right host?
• Answer The Address Resolution Protocol (ARP)
• Example Host 10.1.1.42 wants to send to
  10.1.1.92
• But! Only knows IP address, not MAC address
• So Broadcasts an ARP message on Ethernet saying
  Who has 10.1.1.92?
• 10.1.1.92 responds with I have 10.1.1.92. My
  MAC is 00022d9a2772
• Now 10.1.1.42 sends over Ethernet to this MAC

16
When ARP goes bad ARP Spoofing

• Performance Hosts keep an ARP Table of known
  IP address lt-gt MAC mappings
• Doesnt have to ask if MAC address known
• Updates table with each I have a.b.c.d message
• Expires mappings regularly (in case IP moves)
• ARP spoofing To sniff on a switched Ethernet
• Attacker (on same LAN) sends out I have a.b.c.d
  messages for target machine (or all machines!)
• Packets then sent to the attacker rather than the
  destination (which could be the gateway router)
• Attacker can then forward packets so no
  disruption just monitoring

17
ARP Spoofing Countermeasures

• Static ARP tables
• Sensitive subnets should use static ARP tables
• Mappings dont expire
• Mappings are hard-coded to be genuine by the
  administrator
• Not perfect MAC address spoofing still
  possible!
• Possible future directions
• A better solution is still an unresolved research
  issue
• Some suggest authenticated ARP
• Uses digital signatures (PK Crypto), so slow
  and ARP needs to be very low overhead!

18
Fragmentation issues

• Fragmentation Breaking up long IP packets to
  fit in a particular type of low-level link
• Example Slow PPP might use maximum packet
  length of 500 bytes for responsiveness vs.
  typical Ethernet length 1468 bytes
• Security issues
• Using fragmentation to avoid an Intrusion
  Detection System
• Break up a signature into multiple fragments
• How are overlapping packets re-assembled?

defauls
defauls
Fragment 1
t.ida
t.ida
Fragment 2
Reassembly
default.ida
defauls.ida
No signature match!
(What the host gets)
(What the IDS sees)
19
Fragmentation issues Contd

• Solutions?
• Try every possible packet reassembly
• Problem n fragments gives 2n reassemblies
• Know how major OSes work and try those assemblies
• Problem What if a new machine or new network
  stack?
• Reassemble packets at firewall
• Only a consistent reassembled packet stream seen
  inside
• Problems
• Difficult to keep up with a very high bandwidth
  connection at the gateway
• Doesnt protect from internal attacks

20
Some tools to know about

• nmap
• Network mapper See what your machines look like
  to the network
• ethereal
• Nice packet sniffer
• dsniff
• Sniffer with special attacks built in, such as
  ARP spoofing
• snort
• Combination packet sniffer and IDS

21
Summary and Wrap-up

• Designing network protocols is very tricky!
• New protocols appearing every day some fix old
  problems, some introduce new problems!
• A good firewall/router can protect you from many
  outside attacks but beware of insiders!
• Crypto can protect high-level protocols, but not
  much that it can do at the link or network layers
• Note Wireless networks have this problem too!